Content

Generic Dropper.p

Type
Trojan
SubType
Dropper
Discovery Date
10/11/2005
Length
varies
Minimum DAT
4602 (10/11/2005)
Updated DAT
5810 (11/22/2009)
Minimum Engine
5.1.00
Description Added
10/11/2005
Description Modified
03/04/2009 4:11 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 4, 2009 --

Some variants have displayed the following characteristics.

The following data/value pairs have been added (class ID and value names may be random):

  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A} "(Default)" "kbdsgi"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "(Default)" "C:\WINDOWS\system32\kbdsgi.dIl"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "ThreadingModel" "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\kbdsgi "(Default)" "{CC22E8D6-3B73-077E-DD49-EA81789AB64A}"

The following files are added:

  • %WindDir%\system32\dsuiqxt.dat (filename may be random)
  • %WinDir%\system32\fldrcxnr.dat (filename may be random)
  • %WinDir%\system32\iologmrg.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dIl (filename may be random)

(Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update May 13, 2008 --

Upon execution, a new variant of Generic Dropper.p trojans drops the following files:

  • %WinDir%\system32\deskaspi.dat (filename may be random)
  • %WinDir%\system32\rtmra.dat (filename may be random)
  • %WinDir%\system32\rtmra.dIl (filename may be random, identified as Generic Spy.e trojan)
  • %WinDir%\system32\winstf.dat (filename may be random)
  • %WinDir%\system32\wlnotiey.dat (filename may be random)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update November 7, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html?nav=rss_blog
--

The most recent variant of this threat arrived as the spam email messages.

Upon clicking the link, the following file is downloaded.

Upon runnng executable files, the following files are dropped:

  • %SystemDir%\GenuineLicence.exe 65,024 bytes (Generic Dropper.p trojan)
  • %SystemDir%\kbd.dll 5,632 bytes (Generic Keylogger trojan)
  • %SystemDir%\test.dll 31,744 bytes (Generic BackDoor.u trojan)

The trojan modifies the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "service" =  %SystemDir%\GenuineLicence.exe

Symptoms

Existence of mentioned files and registry key.

Method of Infection

The most recent variant of this threat arrived as the spam email messages.

Droppers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally may be mass spammed by the author to entice people into executing them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Dropper onto the user's system with no user interaction.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

 

Characteristics

Characteristics -

-- Update March 4, 2009 --

Some variants have displayed the following characteristics.

The following data/value pairs have been added (class ID and value names may be random):

  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A} "(Default)" "kbdsgi"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "(Default)" "C:\WINDOWS\system32\kbdsgi.dIl"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "ThreadingModel" "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\kbdsgi "(Default)" "{CC22E8D6-3B73-077E-DD49-EA81789AB64A}"

The following files are added:

  • %WindDir%\system32\dsuiqxt.dat (filename may be random)
  • %WinDir%\system32\fldrcxnr.dat (filename may be random)
  • %WinDir%\system32\iologmrg.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dIl (filename may be random)

(Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update May 13, 2008 --

Upon execution, a new variant of Generic Dropper.p trojans drops the following files:

  • %WinDir%\system32\deskaspi.dat (filename may be random)
  • %WinDir%\system32\rtmra.dat (filename may be random)
  • %WinDir%\system32\rtmra.dIl (filename may be random, identified as Generic Spy.e trojan)
  • %WinDir%\system32\winstf.dat (filename may be random)
  • %WinDir%\system32\wlnotiey.dat (filename may be random)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update November 7, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html?nav=rss_blog
--

The most recent variant of this threat arrived as the spam email messages.

Upon clicking the link, the following file is downloaded.

Upon runnng executable files, the following files are dropped:

  • %SystemDir%\GenuineLicence.exe 65,024 bytes (Generic Dropper.p trojan)
  • %SystemDir%\kbd.dll 5,632 bytes (Generic Keylogger trojan)
  • %SystemDir%\test.dll 31,744 bytes (Generic BackDoor.u trojan)

The trojan modifies the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "service" =  %SystemDir%\GenuineLicence.exe

Symptoms

Symptoms -

Existence of mentioned files and registry key.

Method of Infection

Method of Infection -

The most recent variant of this threat arrived as the spam email messages.

Droppers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally may be mass spammed by the author to entice people into executing them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Dropper onto the user's system with no user interaction.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A